regen v9_11

diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index b742b1599ab9fb1b661a8bb13a16225167bfa9b2..5e37b72d9c66137551e4178d2f361beb299453b9 100644 (file)
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -40,6 +40,7 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
@@ -80,6 +81,36 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+    <p>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <span class="command"><strong>managed-keys</strong></span>
+      statement, or if the pre-configured root key is enabled by using
+      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </p>
+    <p>
+      This release includes an updated version of the
+      <code class="filename">bind.keys</code> file containing the new root
+      key. This file can also be downloaded from
+      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
+       https://www.isc.org/bind-keys
+      </a>.
+    </p>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License Change</h3></div></div></div>
     <p>
       With the release of BIND 9.11.0, ISC changed to the open

diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 039cadd05199c1d9b410e70e435826acb9260609..a5939af26adf560f8eeb6e7176ed7b681e6ee060 100644 (file)
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -245,6 +245,7 @@
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_license">License Change</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>

diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 159acbb2ee251a6823d400d7f56cdacc50acf449..1ad6efafcc81b03e89a3c309082524a3c2debb87 100644 (file)
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -42,6 +42,36 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
+<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div>
+    <p>
+      ICANN is in the process of introducing a new Key Signing Key (KSK) for
+      the global root zone. BIND has multiple methods for managing DNSSEC
+      trust anchors, with somewhat different behaviors. If the root
+      key is configured using the <span class="command"><strong>managed-keys</strong></span>
+      statement, or if the pre-configured root key is enabled by using
+      <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep
+      keys up to date automatically. Servers configured in this way
+      will roll seamlessly to the new key when it is published in
+      the root zone. However, keys configured using the
+      <span class="command"><strong>trusted-keys</strong></span> statement are not automatically
+      maintained. If your server is performing DNSSEC validation
+      and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are
+      advised to change your configuration before the root zone begins
+      signing with the new KSK. This is currently scheduled for
+      October 11, 2017.
+    </p>
+    <p>
+      This release includes an updated version of the
+      <code class="filename">bind.keys</code> file containing the new root
+      key. This file can also be downloaded from
+      <a class="link" href="https://www.isc.org/bind-keys" target="_top">
+       https://www.isc.org/bind-keys
+      </a>.
+    </p>
+  </div>
+
+  <div class="section">
+<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License Change</h3></div></div></div>
     <p>
       With the release of BIND 9.11.0, ISC changed to the open